Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Civil Service Commission (November 8, 2024)
November 8, 2024 · Civil Service Commission · Read the full official report on mass.gov ↗
source
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit about whether government workers completed cybersecurity training during the audit period.
“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
The auditor checked whether EOTSS and 22 other public entities followed the state’s cybersecurity training rules.
“Pursuant to our governing statute, Section 12 of Chapter 11 of the General Laws, our audit covers multiple entities’ compliance with EOTSS’s cybersecurity training standards.”
Missed cybersecurity training can leave agencies more vulnerable to cyberattacks, money losses, and damage to public trust.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
Cybersecurity training helps protect state systems and data used to deliver public services to residents, businesses, motorists, families, and others.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The audit’s answer was no: the reviewed entities did not all make sure their employees completed the required training.
“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
The auditor recommended stronger tracking, better onboarding controls, required training for all employees, and consequences when training is not completed.
“The aforementioned three regional transit authorities should do the following:”
This was not a single-office issue; the report covered EOTSS plus executive branch agencies, public colleges and universities, and regional transit authorities across Massachusetts.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities.”
“Cybersecurity awareness training” means teaching employees their role in protecting government information from being exposed, unavailable, or changed improperly.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial and annual cybersecurity awareness training. ( Section 12 of Chapter 11 of the Massachusetts General Laws; Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
- EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
- EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial and annual cybersecurity awareness training. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- Provide cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
- Establish procedures to monitor cybersecurity training completion throughout the training cycle and use HRD historical data to ensure deadlines are met.agency: partially agreed
- Implement controls to ensure new hire onboarding includes all required cybersecurity awareness training coursework.agency: partially agreed
Agency response & Auditor reply
Auditor: "Based on its response, DLS will take measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial and annual cybersecurity awareness training. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010; Generally Accepted Government Auditing Standards Section 8.18 )
2 recommendations
- The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The seven state colleges and universities should update cybersecurity awareness training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial and annual cybersecurity awareness training. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010; Generally Accepted Government Auditing Standards Section 8.18 )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Civil Service Commission .
- Audit of the Civil Service Commission (CSC)Authority / Commission · November 8, 2019
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Civil Service Commission (January 28, 2025)Authority / Commission · January 28, 2025 - Civil Service CommissionAuthority / Commission · April 22, 2011